I like dlang but i don't like dub

H. S. Teoh hsteoh at quickfur.ath.cx
Tue Mar 22 19:10:27 UTC 2022

On Tue, Mar 22, 2022 at 05:36:13PM +0000, IGotD- via Digitalmars-d-learn wrote:
> On Friday, 18 March 2022 at 18:16:51 UTC, Ali Çehreli wrote:
> > 
> > The first time I learned about pulling in dependencies terrified me.
> > https://medium.com/hackernoon/im-harvesting-credit-card-numbers-and-passwords-from-your-site-here-s-how-9a8cb347c5b5
> > 
> > Despite such risks many projects just pull in code. (?) What am I
> > missing?
> > 
> This is an interesting observation and something of an oddity in
> modern SW engineering. I have been on several projects where they just
> download versions of libraries from some random server. For personal
> projects I guess this would be ok but for commercial software this
> would be a big no-no for me. Still the trend goes towards this. Now,
> several build systems and packet manager software have the possibility
> to change the server to a local one.  Changing to local one is unusual
> though which is strange.

To be fair, even though I'm clearly on the side of not depending on
external resources, there are various reasons why one might prefer to go
the route of dub / the modern trend of package managers that depend on
external resources.

- It alleviates the tedium of having to manually maintain local archives
  of 3rd party packages. When the code is needed, it gets downloaded
  from the upstream servers. The package manager (dub in this case)
  manages the local cache for you.

- You get updates automatically. If there's a critical security fix, for
  example, you'll get it upon the next build, you don't even have to be
  aware of the existence of the security flaw and its fix to reap the
  benefits.  When a new feature is made available upstream, you don't
  have to manually download the latest version to reap the benefits, you
  get it automatically upon the next retrieval of the package.

- It's very convenient: you don't have to know where the upstream
  servers are, how to download it, where to store it -- the package
  manager handles that all for you. You just specify which packages you
  want, and it takes it from there.

Of course, as with programming projects in general, convenience often
comes at a price.  The security flaws that crop up, for example, which,
in today's threat landscape, are much more frequent and important than a
decade ago, and worthy of some very serious consideration. While
automatic downloads do get you "automatic" security fixes, it also
introduces potential security holes (trojan attacks, MITM attacks,

Also, the long-term consequences of convenience. A lot of the benefits
of external dependencies are short-term benefits; over the long term,
they get outweighed by long-term maintenance issues, like the ones I
mentioned in my other post (long-term compatibility, breaking changes,
availability, etc.).


Only boring people get bored. -- JM

More information about the Digitalmars-d-learn mailing list